FIG. 1 is a block diagram of a prior art Storage Area Network (SAN), which comprises an array of host computers 1, or hosts 1 (H1, H2, . . . , Hm) coupled via a SAN Switch 2, to an array of storage devices 4 (D1, D2, . . . , Dn). In FIG. 1 the number of hosts 1 and of storage devices 4, is limited but sufficient for illustrative purposes. The hosts 1, the SAN Switch 2 and the storage devices 4 are coupled by Fibre Channel (FC) links 5, or storage network links 5, in a storage network 5′, forming a SAN Fabric. A Fabric is a Fibre Channel Network. Users network links 6, pertaining to a user network 6′, connect users 7, a System Administrator 8, and the SAN Switch 2, to the hosts 1. The user network is an Ethernet, such as a LAN, a WAN, or the Internet.
It is noted that the SAN Switch 2 is also known in the art as Fiber Channel Network Switch, or Fiber Channel Switch or Network Channel Switch. Storage devices also referred to as storage subsystems, neither being necessarily of the same kind. The term storage device relates to all kinds of storage in use with digital data, such as disks, tapes, etc.
The SAN Switch 2, which is operated for routing I/O communications between the array of hosts 1 and the array of storage devices 4, is also utilized for zoning functions, in an attempt to provide al least some measure of security. The array of hosts 1 and the array of storage devices 4 are related to as the physical devices of the SAN.
A zone is defined a group of physical devices sharing permission for mutual communication. Practically, zones are formed between ports residing in the SAN Switch 2, and coupled to the physical devices. The smallest possible zone is a group of at least one port linked to a host 1, or host port, and of at least one port pertaining to a storage device 4, or device port, to which the SAN Switch 2 grants permission for mutual communication. The number of ports may be even or odd, but never less than two, to always couple between at least one host 1 and at least one storage device 4. Ports belonging to different zones cannot communicate with each other, and therefore, physical devices belonging to different zones, are isolated from each other. When a host 1 has more than one Host Bus Adaptor, HBA, then a zone is defined as a group sharing permission for mutual communication between HBAs and storage devices. Again, the minimum for one zone is one HBA and one storage device 4.
The SAN Switch 2 is coupled to both the storage network 5′, by links 5, and to the users network 6′, by links 6. One of those users 7 is defined as a System Administrator (SA) manning a SA workstation 8 privileged with access to the SAN Switch 2 via the users network 6′. By operating his workstation 8, the System Administrator may manually define zones of ports coupled to physical devices. Once defined, those zones are set and remain static.
What the SA actually defines, is the zoning of ports connected to hosts 1 and to storage devices 4, each port having an identity number. The mere connection of a port number does not vouch for the identity of the physical device that is intended to be, or is actually, connected to that port.
It is recognized that the conventional zoning exercised by the SAN Switch 2 presents security loopholes. Modern SAN systems consist of arrays with numerous hosts 1, away and remote from the SAN, easing the disguise of a fake host 1 as a genuine computer. Even though the SAN Switch 2 is coupled directly to a host 1, the former is not equipped with means able to block a rogue host from joining the storage network 5′ in disguise, by adopting a fake identity and posing as a legal host 1. Actually, the SAN Switch 2 recognizes a host 1 only by the port number, without any provisions for the detection of a false identity hiding behind that port number.
Sometimes, the SA uses the WWN (World Wide Name) of a HBA (Host Bus Adaptor) to identify a host 1. Each host 1 has at least one HBA, and each HBA is identified by the 8 bytes of its unique WWN number. However, there is nothing to certify that a given HBA with a WWN is really running in a host 1 legally coupled to the SAN. With computer crime on the increase, it is plausible to expect trials to couple a fake host 1 to a SAN. In view of the foregoing, it is therefore maintained that the security of the SAN Fabric is in danger and includes loopholes.
The connection of a large numbers of physical devices inevitably results in a huge number of ports, all ports being manually zoned by the SA. Almost certainly, the manually performed zoning of dozens of ports will lead to coupling mistakes. This practice, prone to human errors, creates another type of security flaws since although the System Administrator zones groups of specific physical devices together, one single mistaken coupling may add an uncalled for physical device into a zone.
For example, a mistake like connecting a storage device 4 to a wrong port in a SAN Switch 2 may cause data corruption. In other words, a storage device 4, intended for connection to a specific port may be mistakenly, or perhaps intentionally, coupled to a port other than the intended specific port. It should be noted that the SAN Switch 2 does not recognize a storage device 4 by identity, but only recognizes the physical ports, assuming that the intended storage device 4 is appropriately linked thereto. Again, a security problem may develop, especially if a connection is intentionally mistaken. These examples illustrate some typical security flaws of the zoning-function of the SAN Switch 2. There is thus a need to provide security measures to SAN networks, and to prevent unauthorized access due to either human error or criminal intentions. Such unauthorized access usually occurs at ports, because of a mistakenly made connection or of the coupling of an illegal physical device.
Consideration should also be given to the fact that a SAN is not a static facility with a frozen configuration, since hosts 1 and storage devices 4 are frequently added or deleted. An addition usually indicates an intentional expansion of resources, while a deletion may point to an accidental failure. Since a SAN Fabric is subject to instant configuration change, there is a need for dynamic security monitoring capabilities. Most of all, it is recognized that a tool is absent which might permit the remote dynamic management of the security of a SAN, under automatic control of a computer program.
Presently, there is an acute need for the provision of both data storage and data transfer security. This need is especially emphasized in view of the growing intricacy of systems as well as to the escalation of criminal activity.